Tuesday, December 22, 2015

What's in Your Home Computer Security Toolkit?

   It's always great to get questions and comments from readers.  I received this question recently:
My home recipe is Windows Defender, Malwarebytes and KeePass. Is that a good approach or should I be thinking about adding something to my security toolkit in 2016?
   Thanks for the great question!  You’ve got some good bases covered:
  • Anti-malware (I also use defender)
  • Malware removal (I also use malwarebytes), and
  • A password vault (I use LastPass)
   That’s a great start. To round out the core toolkit, I’d add 2 things:
  1. Backups – you’ve got irreplacable pictures, tax returns, music and info of all sorts. There are many of good online products available that encrypt your data before cloud storage. I use CrashPlan, but there are many others.  For extra bonus points, you can both backup one computer to another computer and to the cloud.  That way you have more than one way to recover.

  2. Next, 2-factor authentication should be added for any sites and accounts where available.  This nicely complements your password vault so that even if an attacker stole individual or multiple passwords, they still couldn't log in to your accounts without your phone or other second authentication device.  I wrote about this recently.
   There are also a few things to do:

Tuesday, December 8, 2015

The First Rule of Security




   That's a classic scene from a great movie.  And, if you think the movie is twisted, you should definitely read the book or the audiobook!

   Many people know that the first rule of Fight Club is that you don't talk about Fight Club.  That's because they didn't want to draw attention.

   But in security, the first rule of security is:


   That means a number of things:
  • Security Awareness - a program at your organization to promote security themes.  I like to focus on information people can use at home.  I've talked about this in the past.
  • Public Awareness - similar to security awareness but here security pros, IT pros, law enforcement pros, or really anyone, talks to the public about security and privacy issues.  There are opportunities through the schools, community centers or school district parent organizations.
  • Conferences - are a great way for people to learn more about security and for security and IT pros to learn more, improve their skills and make great contacts.  I was recently at the HIMSS Privacy & Security Forum in Boston.  I saw old friends and made new ones, heard some great speakers (and did a bit of speaking myself) and learned a few things.
  • Professional Organizations - There are many IT and security professional organizations.  Some of the organizations I participate in include ISSA, ISACA and Infragard.  There are local chapters in most areas.
  • Other local groups - in addition to the formal professional organizations, many areas have local groups for security leaders or security practitioners.  You can find out about these groups and conferences or professional organization local meetings.
  • 1:1 discussions - talk with a security pro about security!  Even better... talk with someone who's not a security pro about security!
   Here's the thing... the attackers - the people who are trying to break into networks or your home computer to steal data - talk to each other.  They share ideas and techniques.  They learn from each other.  We must do the same.

   How do you talk about security?

Monday, November 23, 2015

Do the Amazon 2-Step... Now!

   It's not a new song or a new dance...  Amazon has just announced 2-step, aka 2-factor or multi-factor, authentication for online logins!  It's overdue but I'm glad it's here.

   We've talked about 2-factor authentication in the past so I won't go deeply into it in this post.  The important take-away is that Amazon now offers this service and you should use it!

   Here's an overview article and here's a great step-by-step with screen shots.  I set this up for my account and it was really easy using my phone and Google Authenticator.  You can also use text messaging, or setup text messaging as a backup method.

   The main reason that 2-factor is good and important is that it prevents an attacker, who has stolen your userid and password, from logging in as you.  This is because they would need to have your smartphone in addition to the userid and password! (yes, there are other methods as well).

Tuesday, November 10, 2015

Hospital Held Hostage

  A number of people alerted me that a recent episode of CSI:Cyber, which aired on 11/1/15, had as its theme a cyber attack on a hospital.  The episode was entitled "hack E.R." (see what they did there??? :-) )

   The episode begins with an ominous image showing up on computer screens and all systems in a fictional hospital being under the control of an online attacker.  They threaten to kill a victim every four hours if not paid a ransom.  They then kill a victim by causing an infusion pump to deliver a fatal dose of morphine while preventing the patient's heart monitor from alarming.

   We then follow the CSI:Cyber team and the hospital staff as they try to solve the mystery and track down and stop the attacker.  I won't give a full synopsis nor a review.  You can find some of that here and here (spoiler alert - these linked articles do give away the ending).

   Let's review what was potentially real and some of the deficiencies of the episode.  First the realistic.

Monday, October 26, 2015

The Celebration Continues - Building the Next Generation

  We have arrived at our last week of celebration of US Cyber Security Awareness month!

   I've been posting comments in line with the weekly themes put together by DHS.  This week the theme is Building the Next Generation of Cyber Professionals.

   Whenever information security managers get together, one of the topics is often the talent crunch.  In almost any metro area in the US there is close to zero unemployment in security.  Add to that the coming brain drain as the baby boomers retire, and we have a looming problem.

   On the positive side, we're seeing more university and community college infosec programs.

   But there is more work than people.  The federal government estimates that they need 10,000 new infosec professionals in the coming years.  How is that going to work?

Monday, October 19, 2015

The Celebration Continues! - Your Evolving Digital Life

   We continue our celebration of US Cyber Security Awareness month!  This partnership between Homeland SecurityNCSA (National Cyber Security Alliance) and the MS-ISAC (Multi-State Information Sharing and Analysis Center) is an opportunity to recognize the importance of information security.  It started in 2003 as a way to build awareness for online security and privacy and to encourage individuals, business and government.

   This is another of my weekly posts connected with the weekly themes put together by DHS.  This week the theme is Your Evolving Digital Life.

   You practically need to be online to survive and thrive in today's world.  Whether we're talking about digital natives or newbies, we all need to handle some aspects of our lives online.  And all ages are involved!  Senior Citizens are the fastest growing online demographic group.  Not to be outdone, over 33% of babies born in the US already have some kind of online presence!  And people aren't the only online residents... our refrigerators, cars, scales, light bulbs, power grids and medical devices have joined us.

Monday, October 12, 2015

Keep Celebrating! - Mobile and Social

   We continue our celebration of US Cyber Security Awareness month!  This partnership between Homeland Security, NCSA (National Cyber Security Alliance) and the MS-ISAC (Multi-State Information Sharing and Analysis Center) is an opportunity to recognize the importance of information security.  It started in 2003 as a way to build awareness for online security and privacy and to encourage individuals, business and government.

   This is another of my weekly posts connected with the weekly themes put together by DHS.  This week the theme is staying protected while always connected.  That rhymes!

   We are always connected!  According to the Pew Research Center, in 2015 90% of american adults own a cell phone, 64% own a smart phone.  And one of the major uses for smart phones is... not calls but social media!  How do we stay safe online and on the move?

Monday, October 5, 2015

Celebrate! - A Culture of Security

   It's time again to celebrate that wonderful US event... Happy Cyber Security Awareness month!  This partnership between Homeland Security, NCSA (National Cyber Security Alliance) and the MS-ISAC (Multi-State Information Sharing and Analysis Center) is an opportunity to recognize the importance of information security.  It started in 2003 as a way to build awareness for online security and privacy and to encourage individuals, business and government.

   This month I'll be putting out weekly posts connected with the weekly themes put together by DHS.  This week the theme is creating a culture of security.

   The message is simple... in the workplace security is a team sport.  All organizations have customers, patients, systems and data to protect.  To accomplish this, security must be part of everyone's job.

Tuesday, September 15, 2015

Bring It On Home

   I'm giving a presentation at the Twin Cities ISSA Security Awareness SIG.  I'll be talking about a number of different methods I've used over the years to create buzz and interest about security and make topics accessible to everyone.

   I was planning to refer to one of my earliest blog posts, covering my general philosophy on this topic.  But... going through past posts it appears that, while I've alluded to the ideas, I never actually wrote the post!  So I'll do that now!


   Like the song says, I try to bring it on home.  I find that while people do want to understand security rules at work, when we start talking about things like home computers, smart phones and family internet safety, then we get peoples' attention.

   And that's a great thing!  For a bunch of reasons:
  • When people think about protecting themselves and family and data, it helps them remember that in the office we are protecting customers'/patients'/users' privacy and data.
  • Security needs the eyes and ears of all staff to help us know what is going on.  Security Awareness focusing on personal topics helps open the communication channels to the security team.  We're not so scary! :-)
  • When staff understand more about how security topics can help them, we gain real evangelists.
   And yet there is still controversy about the usefulness of Security Awareness.  But I think it's one of the most important and useful things we can do to help secure our environments.

   Here's a link to the slides from my presentation.

   And here are a few of my past favorite security awareness posts:
   If you are a computer use, what are some topics you'd like to learn more about?

   If you are an information security professional, what tips and techniques would you like to share?

Tuesday, September 1, 2015

The XORcist (aka Get Rid of Bad Encryption)

   I remember when the movie version of the Exorcist came out.  I was in high school and it was probably the scariest, most graphic movie released by that time.  Parents didn't want their kids to see it.  There were all kinds of media discussions about the potential detrimental effects to roller-skating Linda Blair, who played the possessed Regan.  It was a freaky movie, at least for it's day, though it was way surpassed in gore by the slasher movies of the 80s.

   I recently read the book (well, you know... audiobook!).  It's well written and I recommend it.  But it is graphic, and there's plenty that wasn't in the movie.

   Easily as scary is the way many systems and sites handle encryption!  For those who don't get the title... XOR is a basic mathematical function that all computers can do easily and quickly.  It's critical for computer operations, and is used in some encryption operations, but is not really a strong encryption method by itself.  If you want to learn more about XOR, look here or here.

   I've covered problems with passwords many times here.  One of the problems that has allowed password breaches to work is poor encryption of the password file.  XOR is not a strong encryption method!

   So what does this all mean?  I have two messages... one for programmers and one for everyone else.

   Programmers.  Don't invent your own encryption.  There are fantastic, freely available encryption routines out there that you can use in your code.  Or, your organization may already have standard encryption methods you can use.  Bottom line is that 2000 years of mathematics has led us to some pretty solid encryption algorithms.  Use them!  Friends don't let friends use bad encryption!  Here are some great references.

   Everyone else.  Password storage should use something we call a "one-way hash".  Not a tasty dish, but a method of encrypting data so it can't be decrypted.  That means that no one should be able to tell you your password!  So, if you call customer support or the help desk because you forgot your password, and they can tell you your actual password... run!


   Can you think of any examples of bad encryption?  Do you know of any websites that can show you a forgotten password?

Tuesday, August 18, 2015

Crypto Where?

   It's that scary moment...  You're getting some work done on your computer when you see a dreaded pop-up message:

   CryptoLocker, CryptoWall and other crypto-/ransom-ware has been in the news again (or still?).  This kind of malware attack was first identified in 2013.  Rather than trying to steal information, the malware encrypts your files.  But you don't have the key to decrypt.  The attacker offers, through a pop-up message, to "sell" you the "service" to unlock your files.  To make things worse, the attacker threatens to delete the keys after a set amount of time, typically 72 hours, which could prevent you from recovering the files.

   These ransom-ware viruses are usually sent to your computer as an email attachment.  The attachment can be an office file, pdf, zip file or other file.  The malware can also come from an infected web link.

   When your computer is infected, the virus operates quietly in the background, encrypting files.  You usually won't know there's a problem until the files are encrypted, and then you're in trouble.

   So if you are infected and encrypted... then what?  Well, there's bad news, good news, more bad news and some more potentially good news!

Tuesday, August 4, 2015

See the Man With the StageFright

   I always liked the way Rick Danko sang that song, and I saw him perform it a few times.



   But now we have a new StageFright, a vulnerability in the base android phone operating system.  This is an equal-opportunity vulnerability effecting all android phones (nearly 1 billion!).  Like many new vulnerabilities discovered in the past year, this one has a name and a logo.

   The issue is a "feature" in the way androids pre-processes MMS multi-media messages (pictures, videos) sent via your text messaging app.  That could be the stock messaging app, a custom messaging app from your phone manufacturer or data provider, or even Google Hangouts.

   Here's why the vulnerability is so bad... you don't have to open the message!  You don't even have to know that you received the message.  All it takes is for your phone to automatically download a malicious message in the background - which is exactly what it does - for your phone to be owned!  That's a problem.

   At the time I wrote this column, there seems to be a fix only for Google-branded phones, and that's a very small percentage of all phones.  You can check with your carrier to find out when you'll get a patch.

   Meanwhile, there is a work-around.  You need to configure your messaging app to not automatically download MMS messages.

  1. Open you rmessaging app.
  2. Go to Settings
  3. Select: Multimedia messages
  4. un-select Auto Retrieve
   Now, when someone tries to send you a message with multi-media content, you'll see that the message arrived, but the photo or video will not be downloaded.  Only tap to download if the message came from a trusted source.

   Of course, you should also keep your phone patched by applying all phone and app updates.  And... get rid of any apps you don't need.

   Here are some references for more info.

Tuesday, July 21, 2015

Must Click Immediately!

I received this email recently.  Looks legit and serious! :-)  I better open that attachment...


   While many people would recognize this as a problem, many others would click to see what info is in the attachment.

   We regularly read about advanced and targeted attacks.  While there is plenty of nasty malware out there, most attacks start with a click.  Make sure it's not yours!

   Here are some tips to help you recognize a phishing email.

Tuesday, July 7, 2015

ID Fraud... What to do Now

   I've written about Identity Fraud in the past.  Today I'd like to review what you need to do now if you are a victim.  I have written about this before, but a picture is worth a thousand words... and a video?...


Tuesday, June 23, 2015

Say It Ain't So LastPass!

   There are so many data breaches happening each week that it's easy to become numb to all the announcements.  Sometimes one or two dominate the news because of the size or importance of the breach.  Sometimes there is confusion in the media about the breach or the significance.  Sometimes the experts don't agree.

   I think most people have heard about the OPM - Federal (US) Office of Personnel Management - breach in which personal information on over 4 million people, including security clearance information, possibly dating back to 1985 was stolen in attack on federal computers.  Everyone agrees that this one was big and bad.  But also in the news was the breach of information at LastPass, and there is far less consensus on the impact.

   LastPass is a password vault - a program that lets you store all your passwords in an encrypted "safe".  I've talked about password vaults many times in the past.  I have always recommended the use of a password vault and I still do.

   First, let's discuss what happened.

Tuesday, April 28, 2015

I Know Where Your Cat Lives!

   Today's post brings together two of the most important, popular and topics online - security and privacy of your information on the Internet and... Cats!

   We know why the first topic is important.  I've written plenty about data breaches, keeping yourself safe online and how to decrease your exposure to identity fraud.  But cats?  Interestingly, the Internet has had a long fascination with cats.  And memes are everywhere starting with the early days of Lolcats and Keyboard Cat.  Disclaimer - I am not a cat person... I don't own any and am not a fan.  But I do like a good meme!

  Regardless of your pet of choice, we do care about our pets and they are often treated like members of the families.  And that includes... pictures.  If you do a search on cat pictures or pet pictures, you'll see plenty.  If you look on people's social network profiles, Facebook, Instagram, Pinterest, etc., there will be pet pictures all over the place.  You can even find them on "professional" sites like LinkedIn.

   Looping back to security and privacy... it's hard enough to keep your data safe when you're deciding what to share.  Many sites deal with the normal stuff - name, A/S/L, credit card numbers, and more.  You can enter this info to a site, or not.  But it's much harder when you don't realize that you are sharing data.  Or, put another way, how do you know when you're sharing more than you think you are.  There is hidden data and data sharing happening on the net everywhere.  For example, when you connect to a website, that connection creates a log that includes things like: your IP address, your browser type, your computer/phone/tablet operating system and other info.  The site may put a "tracking cookie" on your machine to help customize your experience while gathering more data.

   Then there's metadata.  This is data about data.  For example, when you take a picture with a digital camera or your phone, there is all kinds of additional data "attached" to that photo including: location, IP address, and timestamp.  There is also a great deal of extra visual information, other than the core subject in the photo including: views of your house, entrances, other people and surroundings.

   There is a fun and interesting website called "I Know Where Your Cat Lives".  They simply connect to photo sharing and social sites, grab cat photos, mine the metadata, connect the photo to a map, and create stats and charts.  Oh yes, and display cat photos!

   The lesson here is to pay attention to your digital surrounding.  When you take a picture, know what else is in that picture.  When upload a picture to a site, think about what data is going with that picture.  Most photo software gives you the ability to edit and alter most of the metadata.  Are you automatically uploading photos?

Tuesday, April 14, 2015

It Wasn't Englebart's Fault! (part 2)

   When we have a post with a "part 1", it probably means we should have a "part 2".  Sometimes other things get in the way!

   A few posts ago we had part 1 of this discussion.  To briefly review, Douglas Englebart was an engineer, inventor and pioneer of the early internet.  He died in 2013.  He was known for a number of key ideas and inventions.  In 1967, he invented a very useful computer device that is a key component in propagating malware and facilitating phishing attacks... the Mouse!

   In part 1 we discussed how malware (malicious software) like viruses get into our computer systems.  Today we'll wrap things up by looking at why it's difficult for our organizations to stop this malware (and why it's difficult to stop this at home).

   Really, the primary issue this stuff is hard to stop is because it's too easy to click on links and attachments.  As we discussed in part 1, as long as we're clicking, we'll have problems.

   But what about anti-virus software?  Anti-virus (or anti-malware or endpoint protection) software has been around for nearly 30 years.  Yet malware problems seem to be getting worse.  (I'll continue to use the term "virus" generically, but I'm really talking about any kind of malware.)

Tuesday, March 31, 2015

Sign Up Now at IRS.gov!

   ID Fraud has been a popular topic lately.  This is especially timely with it being tax season in the US and the filing deadline around the corner.  I wrote about ID Fraud and taxes a few posts ago.

   I'm a big fan of Brian Krebs' work.  Whether you're a security professional or a consumer interested in the security and privacy of your information (or both!), his blog posts and articles are usually great reads.  He recently put up a post entitled "Sign up at IRS.gov, before the crooks do it for you".  Read it here.

   It turns out that the IRS has a function on its website that allows you to get information about your past and current returns.  You need to create an account to do so.  The site does use a form of "identity proofing".  This means that the site asks you to provide personal data that it matches to information it already has.

   Identity Proofing is a great idea, in theory.  It's designed to bypass the "Facebook attack" that is effective on so many other websites, particularly those that ask for answers to "secret questions".  The so-called Facebook attack is when the answers to the secret questions or other identity information can easily be found on someone's Facebook page, or other social media (since Facebook is the "Kleenex" of social media! :-).

   Side note... as I've discussed in the past, the "correct" way to answer secret questions is to not answer them truthfully.  Then save your answers in your password vault.  You do have a password vault, right?

   The issue is that an ID thief can get to the site and set up an account in your name before you do!  They can then use that to get more identity and tax information about you.  Of course, the potential thief must know or guess a certain amount of information first.

   From the Krebs' article:
If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.
   From the IRS.gov website, here is what you need to sign up:
"The personal information you enter must match the information you provided us on your most recent tax return. We use the following information to verify your identity:
  • Name
  • Social Security Number or Individual Tax ID Number (ITIN)
  • Date of Birth
  • Filing Status
  • Mailing Address
  • Third Party Verification Questions - you must provide answers to questions about personal information such as prior address, mortgage information, etc., that only you should know.
You must also provide us with a valid email address, which we will confirm and use to notify you if your registration information changes. Your confirmation email should arrive quickly so check your junk folder if you don't see it."
   Note that you might need your tax return handy when you sign up.  You need to enter your info exactly as it appears in your tax records.  For example, did you use "road" or "rd" or "rd." in your address?

   Whether or not you plan to use the IRS online transcript services, you should still get in there and create your account... before someone does it for you!

Tuesday, March 24, 2015

GOOD DAY

   I received the following email recently.  Looks too good to be true!  $1.5Million united state dollars!  Maybe I should reply? :-)

   The only thing missing is a link or attachment.

   Of course, there are tons of emails like this around.  And people do respond.

   Would you respond?  How many people at your workplace would respond?  How would you help people recognize this kind of email and not respond?

--------------
From: Dr. Xxxxx Xxxxx
Reply-To: "Dr.Xxxxx Xxxxx"
To:
Date: Fri, Mar 20, 2015 at 6:58 AM
Subject: GOOD DAY

Good day,

How are you doing hoping all is well with you and your family? We know you might have forgotten about this your outstanding compensation payment due to delay on the delivery up till now. We are here by writing to inform you that your payment file was found in our Office and we discovered that your Compensation payment of $1.5Million united state dollars have not been sent to you as it was instructed by The Economic Community of West African States (ECO-WAS)We are here to inform you that your payment has been converted into ATM Visa/Master Card to free it from Expiring, and all the necessary Arrangement for your

ATM VISA CARD Payment worth of $1.5Million United State Dollars has been granted for your payment through Our ATM Card Department Center.Now Your ATM Visa/Master Card is well packaged with every legal documents to convey it having any problem with any Authorities or with your Federal Government therefore we are here by inviting you to our office here in Republic of Benin, Office Address, UNITED BANK OF AFRICA BENIN, Xxx Xxx n,Xxxx Xxxx 2000, to enable us complete the normal formalities and activation process of your ATM Visa Card and issue the Secret PIN CODE/NUMBER to enable

you start using it at any ATM MACHINE worldwide of your choice nearest to you, as soon as it is activated, But if you are unable to come down here in our office in person you will be required to update our ATM Department Center with your contact delivery details as stated below so that they will proceed with

the necessary arrangement for the delivery of your ATM VISA/MASTER CARD.

1. Your Full name, ________________
2. Your home Address, _____________
3. Your telephone number, _________
4. A copy of your ID, _____________
5. Your age/sex, __________________
6. Your occupation, _______________
7. Your country, __________________

Therefore you should contact OUR ATM CARD PAYMENT DEPARTMENT CENTER immediately on their below;

E-mail :( dr.xxxxx.243@gmail.com )
Contact Person;
Dr. Xxxxx Xxxxx
Director Of UNITED BANK OF AFRICA BENIN,
Telephone Number; +229 nnn-nnn-nn
Try to call him immediately to know when your ATM VISA CARD will be delivered to you. I am waiting for you to update us as soon as you have received your

Visa/Master ATM Card.
Thanks and God Bless You.
Yours sincerely

Dr. Xxxxx Xxxxx

Tuesday, March 10, 2015

Chip & Pin & a Tin Foil Wallet

   I've been talking a lot about ID Fraud lately and was recently asked this question:
"A question came up at home – and that is about use of credit card wallets that protect from rogue scanners. Are they necessary? Will they be more or less necessary when newer cards with embedded microchips are more prevalent?

I thought this might be an interesting topic for your blog."
   Thanks for the great question and idea to put this in a blog post!

   So, by credit card wallet I’m assuming that you mean some kind faraday cage or lead lined case that blocks electronic signals, as opposed to a credit card wallet like Google Wallet, Apple Pay or SoftCard.

   When it comes to old-school mag stripe cards… have you noticed how you sometimes have to reinsert or re-swipe the card in the reader, and even then it doesn’t always read?  Mag stripe is definitely a direct-physical-contact medium.  Other than vendor breaches or stolen (physical) wallets, the typical way someone can steal your mag-stripe card data is via some kind of skimmer.  There are very low profile skimmers that can be inserted into ATMs or gas pumps to grab your card data while you’re trying to do a legit transaction.  There are also hand-held or desktop units that an “evil waiter” can use to grab your card data when they take your card at a restaurant.  There are no reliable remote ways to read magnetic data off a card.  So, a lead wallet won’t help here at all.  It’s the same way you can’t read the contents of a hard drive just by being near it.

   Next is RFIDs.  That stands for Radio Frequency IDentification and, as the name implies, they do transmit data.  These are the chips in the tap & pay cards.  There are transmission-blocking wallets for RFID passports and things like that which transmit data.  So anything with RFID or a transmitter can be remotely read (at various distances).

   The new cards coming out will be chip & "something".  Currently in Europe they use chip & pin.  This is expensive to implement and requires replacing all the mag stripe readers with much costlier readers.  The chip is a microchip that computes a value and provides a 1-time-use code for a transaction.  Note that it does not use your credit card number.  In addition to that single use code, the person also needs to put in their numerical PIN.  So, even if the card was stolen, or the code could be remotely read, it couldn’t be used for a transaction without the PIN, and the code couldn't be reused.

   The US is actually considering chip & signature.  Among the reasons is that the cost will be lower even though the readers still need to be replaced.  (though, because of the marketing power of Apple and Apple Pay, many merchants have already upgraded readers).  The chip works the same way, but the 2nd part of the verification is the physical signature.  Not particularly strong but better than nothing.

   Now… neither of these new card types solves a particularly important case… Card Not Present.  This is when you buy something over the phone or internet.  So there’s no card reader nor person to look at your signature, and you don’t want to give some random merchant your PIN.

   There are a number of potential solutions in the works.  Verified-By-VISA or MasterCard SecureCode are examples of tools available now, even for mag stripe cards.  Basically, you choose one of these at online checkout; then you’re transferred to the VISA or MasterCard site; you authenticate there; the VISA or MasterCard site generates an acceptance code that get sent back to the merchant and you’re all set.

   So, chip & signature cards and readers will help deal with some of the credit card fraud we have, but we still need a standardized solution for Card Not Present (CNP).

   Now with that background, back to your initial question… remote reading of a magnetic stripe, chip & PIN or chip & signature card is not a major threat.  However, cards that use RFID, or any tap and pay technology, could be read remotely.

   You'd be far better off taking the precautions I listed in my previous ID Fraud articles including:

  • regularly viewing your credit report
  • watching your bills
  • shredding unneeded documents that have personal info
  • carrying only the minimum cards you need
  • using care online

   Thanks again for the great question!  If anyone has questions or ideas for things I should write about in the future, please let me know.

Tuesday, February 24, 2015

It Wasn't Englebart's Fault! (part 1)

   Douglas Englebart was an engineer, inventor and pioneer of the early internet.  He died in 2013.  He was known for a number of key ideas and inventions.  In 1967, he invented a very useful computer device that is a key component in propagating malware and facilitating phishing attacks... the Mouse!

   Of course, Englebart didn't invent email, email attachments, phishing emails or malicious links.

   The media is always buzzing with information about the latest breach or computer break-in.  We hear about advanced attacks, nation-states and possibility of cyber-war.  Many of these major attacks start with a simple click (or many clicks).

   Two of the main ways that malware is distributed or information is stolen is via:

  • malicious attachments sent in an email, and;
  • phishing emails with malicious links.
   For either of these methods to work, the recipient of the email needs to click... with a mouse! (well, you could also use a track-pad or track-ball).  The attachment needs to be opened.  If it's a zip file, it needs to be unzip'd.  If it's a link, clicking the link might either download malware or lead to a form asking for personal information.  Any of these actions could cause major problems.

   Let's discuss two issues:
  • what do these viruses do?
  • why can't my organization stop these? (or why can't I stop them at home?)
   This is, unfortunately, pretty complex and we'll probably handle these in two separate posts.

Why Viruses?

   As I've discussed in the past, this is really an economics issue.  There's illicit money to be made and there are smart people out there coming up with new ways to attack and take over systems.

   A typical computer virus does 1 of 3 things (I'm using the term virus generically - a virus is actually just one of a number of different types of malware (malicious software)).  It can even do more than one of these:
  1. connect "home" and download more viruses;
        This is an optional step.  The real goals are items #2 and #3.
  2. take over a computer so it can be remotely controlled, or;
        An attacker can take over a bunch of computers and use them to attack other computers or sell that capability to others. The computers taken over are called robots or bots.  They can be used to spread spam and more malware; to send a lot of traffic at target computers so they won't work properly or at all (this is called Denial of Service or DoS), or; might use other attack methods.
  3. steal information (the techy word for this is exfiltration).
        The stolen personal or corporate information can be sold or used to steal money from existing or newly created accounts.
  4. (bonus item) threaten to do the above (blackmail).
        An attacker might threaten to crash computers if not paid.  One kind of malware called "ransomware" encrypts your files so that only the attacker can decrypt them and charges you a fee to get your access back.
What can we do?

   This is a complex issue and we'll talk about protection methods next time.  For now, the best advice is to take measures we've often discussed here:
  • use anti-malware software
  • use care when opening attachments
  • use care when clicking on links
  • know who sent you that email, message, tweet, social network message, etc.
   I discussed these and other steps you can take in a post last year.

Tuesday, February 10, 2015

ID Fraud, Taxes and Doctors, Oh My!

   I did a series of posts last year on the problem of ID Fraud.  This is an ongoing issue, certainly because organizations struggle to protect information, there are cyber attackers out there, and also individuals don't often take steps to protect their own information.

   The bottom line is that your personal information, primarily your financial information, has tangible dollar value to a cyber attacker.

   We usually think about credit card fraud or maybe bank account fraud as the results of these kinds of data breaches.  But in this post and the next I'd like to talk about two other scenarios that have happened, are happening... and you need to be aware.

   It's that wonderful time of year again in the US.  Crisp weather, snow (most places), the days are starting to get a bit longer... and it's the beginning of tax filing season.

   Imagine you are doing your civic duty, filling out and filing your tax return.  You send it in to the IRS, only to find out that "you" already filed your return and "you' have already received your rather sizable refund - surprise!

   Unfortunately, this has happened.  And, as we've discussed in the past, these attackers are smart.  This is a business.  They need to be able to maximize profits because there is a limited timeframe in which to commit the crime.  So they need to attack a sub-population who:
  1. makes good money;
  2. might have many deductions;
  3. might have complex returns, and;
  4. for whom a large refund might not raise red flags.
   How about... Doctors!


   And, just as I finishing writing this article, we have new news out about tax fraud this year!  Reports say this is connected with Turbo Tax software, but it is more likely that scammers got people's info through other means and filed the fraudulent returns.  Maybe Turbo Tax is just the scammers software of choice! :-)

   As always, we want to talk about what you can do.

   In addition to the steps outlined in these previous blog posts, here is the IRS Guide on Identity Theft.  The IRS guide and my previous tips talk about not only what you should do if you are a victim, but tips to avoid the problem in the first place including:
  • protecting your personal information, primarily your social security number
  • don't click on links sent to you via email or in social media - type the link in yourself or do a search
  • use link rating applications like Web Of Trust (WOT)
  • don't give our your personal information via web, email, phone unless you can positively identify the person on the other end
  • review your bills, credit record and other information that might provide early warning of a problem.
   Have you been the victim of tax-related ID Fraud?  Do you have any additional tips to share?

   Of course, this issue is not just about doctors!  Next time we'll talk about something perhaps even closer to your wallet... payroll fraud and misuse.

Tuesday, January 27, 2015

How To Get Someone’s Password


   No matter what else is going on, it seems that I keep circling back to the subject of passwords.  I’ve covered this topic many times, including here, here and here.  But it’s a new year and a new week and passwords are in the news again

   I’ve jokingly said for many years that the easiest way to get someone’s password is to just ask them!  What I mean by that is that many people will inadvertently give up their userid and password via a Social Engineering attack.

   Wikipedia defines Social Engineering as the "psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme."

   An attacker can send a phishing email that either directly, or via a link to an online form, asks for a password.  They can call the victim on the phone, or call a help desk impersonating the victim.

   Or, they can just walk up to someone on the street and ask!...


   And this is certainly not the first time something like this has been tried.

   There you have it!  So protect your passwords… use a password vault; use different passwords for different systems; use strong passwords; watch out for phishing emails and calls, and; don’t give your password to someone else!

 
   For extra fun, try one of these phishing quizzes.  See if you can identify the imposters!  And reread this post on phishing.

Tuesday, January 6, 2015

The Secret Life of Passwords

   I've written about passwords plenty of times in the past.  Passwords are one of the main security touch-points for people, and it's often not a pleasant experience.

   As we've discussed, it's hard for people to pick good passwords and remember them.  So users need "tricks" to help the memory.  One way I've told people to construct a password is to base the password on an embarrassing moment in your life - that way you won't forget the password and you also won't tell it to anyone else.

   Apparently people have been using that, and similar, methods.  NY Times reporter Ian Urbana wrote a great piece on this called "The Secret Life of Passwords".  He asked people to tell him their passwords - yes, you shouldn't do that - but also the story behind the passwords.  There are some very interesting stories.  People seem to memorialize a part of their life in their passwords!  You can read the full story hereLeo Laporte did a great interview with Ian in the Triangulation podcast.  You can hear that here.

   I'd like to focus to two aspects of this story that jumped out at me.

   First is the story of Cantor Fitzgerald.  They are a large financial firm who were headquartered at the World Trade Center in 2001.  When the terrorist attacks hit the towers, Cantor Fitzgerald over two-thirds of their employees were killed.  That was tragic.